Posted
by
michaelon Thursday May 22, 2003 @10:52AM
from the hoist-by-own-petard dept.

PCOL writes "The Washington Post is reporting on testimony before the Senate Committee on Commerce, Science and Transportation by Ronald Scelson, an eighth-grade dropout and self-taught computer programmer from Louisiana, who claims that he sends between 120 million and 180 million e-mails every 12 hours, that he can break sophisticated software filters 24 hours after they are deployed, and that he has no choice but to resort to forging the sender information in his bulk e-mail so he can be anonymous and maintain his connection to the Internet. He added that he obtained all his addresses legally and that AOL gladly sold him the company's entire customer directory which Ted Leonsis, vice chairman of AOL, did not deny." It's a tough life. Here's another story about the Senate committee meeting.

Leonsis, who had testified minutes earlier about how AOL was blocking 2.4 billion pieces of spam per day, did not answer directly.

"We let members opt out" of commercial messages sent by the company and affiliates, he said. And he accused Scelson of violating the company's "terms of use" agreement by using AOL's membership directory as a source for e-mail addresses. Scelson readily agreed.

Hello Pot, this is the kettle, you're black!!

AOL is a bigger part of the problem vs being a bigger part of the solution.

Yes, AOL sends commercial messages to its members, but it doesn't spam the rest of the world too -- a perhaps small but significant difference. They do offer a "check here to opt-out of commercial messages" mechanism, but it auto-resets itself after a period of time.

Hmmmm.... AOL blocks 2.4 billion spams a day. I wonder how many the company generates itself to send to its own members.

Does the never ending stream of AOL CD's mailed in the post not count as spam?

No, it doesn't. Spam is unsolicited e-mail. What AOL does has been going on for long before the term spam came around. It is also different in that there's no forgery, you can return it to sender, etc. Whether AOL should be sending out tons of CDs is certainly debatable, but it is something different from spam.

That's what USPS Form 1500, Application for Listing & Prohibitory Order (pdf), is for.

Maybe not. The application states:

"The attached mailpiece, from the mailer identified below, offers for sale matter that I believe to be erotically arousing or sexually provocative and therefore is a pandering advertisement. Under the provisions of 39 USC 3008, I request that a Prohibitory Order be issued against the mailer and the mailer's agents or assigns."

Unless you use the AOL CD as an artificial vagina, you won't get far with that application.

a. Whoever for himself, or by his agents or assigns, mails or causes to be mailed any pandering advertisement which offers for sale matter which the addressee in his sole discretion believes to be erotically arousing or sexually provocative shall be subject to an order of the Postal Service to refrain from further mailings of such materials to designated addresses thereof.

...and...

Both the absoluteness of the citizen's right under 4009 and its finality are essential; what may not be provocative to one person may well be to another. In operative effect the power of the householder under the statute is unlimited; he may prohibit the mailing of a dry goods catalog because he objects to the contents or indeed the text of the language touting the merchandise. Congress provided this sweeping power not only to protect privacy but to avoid possible constitutional questions that might arise from vesting the power to make any discretionary evaluation of the material in a governmental official.

It is not up to the post office to decide that you can't get aroused by AOL CD's.. In a nutshell, what's offensive to you may be miles apart from what's offensive to me, so the Supreme Court decided it's not up to the postoffice to make the judgement call. If you deem it offensive, form 1500 applies.

I've used it successfully to stop CitiBank's incessant bombardment of "you're pre-approved" credit card offers (I was litterally getting 3 a day for a while). Try it, it works.

hardly the same thing - at least AOL's emails have valid headers so you know they've come from AOL. And they've sent emails for something you *might* be interested in. And they honour the opt-out. And they don't send the same damn thing ten times every hour.

50 AOL CDs in the post over the years? Big deal compared with the 50 spam emails per day I receive (not counting the account I don't use anymore due to the amount of spam in it).

Compare a legitimate company with a spammer by all means, but keep the perspectives in place. The relatively insignificant amount of legit commercial email is not part of the spam problem.

Both consume limited storage space. Junk mail can fill up your postal mailbox and you'll then get a note, "You can pick up the rest of your mail at the post office." How fun. Spam fills up your email inbox until the sender of the next message gets "MORTAR_COMBAT!@slashdot.org's email is full".

Both abuse a common carrier system, paid for at least partially by the recipients of the message. Junk mail is usually paid for using bulk pricing systems, subsidized by the rest of the postal audie

Junk mail is usually paid for using bulk pricing systems, subsidized by the rest of the postal audience.

I'm afraid you have it backwards. Bulk mail, even at its reduced rate, is what allows you to send a letter at 39 cents. Bulk mail is presorted so as to make processing time for the post office almost nothing. Your letter with sloppily written address actually takes time to be read and sorted.

ALso, the USPS is a government sponsored monopoly but it doesn't receive any tax payer dollars. It is self funding.

Finally, large glossy catalogs are very expensive for companies and they are not typically sent to people who haven't shopped in the store before or requested the catalog specifically. They therefore are not in the same category as snail spam.

ALso, the USPS is a government sponsored monopoly but it doesn't receive any tax payer dollars. It is self funding.

Not only that, but it's even older than the government. The post office was concieved under the Articles of Confederation, before the current government under the Constitution. And not only did it pay for itself, but it was once the primary source of revenue to fund the government.

[start spam]
Are you a spammer down on your luck??? Have you been disconnected from every major ISP in your area????? Getting tons of flames in your personal inbox??????

Well, fret no longer! I used to be in your shoes, but now I'm one of the top spammers in the world! I used to receive tons of mail from angry slashdotters, but no longer!!! I've discovered the ancient secrets of the internet, previously unknown RFC commands, MAPI and IMAP loopholes, weakness in POP, PAP, SMTP, RTFM/RTFA, ID-10T commands, and so much more!!!!
For just $19.95, I will send you the secrets of becoming a true world class spammer!

With my tested methods, you will:
keep your name and address hidden from vigilantes
maintain your account with any ISP legally
earn thousands of dollars a day from your home without lifting a finger! Ok, just one, to click the mouse! That's how easy and simple it is!!!
and so much more!
Just send the check for $19.95 to...
[end spam]

Spam is business, right? they do what they do to make money via advertisements. Well, here is something i just thought up during lunch that might thwart spam in a way

The difference between spam and bulk emailing is that you are forced to recognize spam, and get rid of each spam individually. Also, spam is very cheap. But, what if you got one (1) email a day with spam, advertisements, ect. This single spam would contain all the regular advertising you'd otherwise get in 50 emails. Sounds cool huh?

Problem: we'd have to get the regular spammers to stop, first. How do we do that? Well, we'd set up a site expressedly for this program, let's call it gerfmail.com. everyone would get a new, permanant, free email there. Like hotmail, but sans spam. In order for a company to be included in the LEGIT single, daily (or weekly even) email of advertising, the parent company would be required to agree not to use spammers who spam gerfmail.com with their usual spam. With this method, spammers are forced by their INCOME SOURCE to stop spamming anyone at this site. If a product is spammed to gerfmail.com, then they lose some sort of advertising rights for a period of time, and lose a lot of money. This would put pressure on them (X10, Orbitz, whoever) to only allow legit advertising to people hosted at this site

What about illegal spam, for illegal products? Easy, any product that is not in that single, daily email, is considered to be unwanted, and likely a fraudulent business. Any information about them will be submitted to the authorities, feds, or whatever gov't can do anything. This might create a lot of work for police at first, but when spam is knocked down to a managable level, it will be extremely easy to track down the few spams sent out.

Call this a crackerjack idea, or add to it, i don't care. But the reality is, there must be a business plan inacted that inherently discourages spam before it can truly be combated in a effective, capitalistic way.

"This is censorship," he said, arguing that both anti-spam vigilantes
and Internet providers that filter out spam are depriving people of
their right to see their mail.

Dear God, I hope the committee saw through this pathetic little charade.
Last time I checked, I had no oblighation to pay to receive advertising;
I had no right to force others to pay the cost of carrying that
advertising; I had no right to force others to put up with the deluge of
complaints about that advertising.

And if he's right about AOL selling him their membership list and
spamming their members (and AOL VP Leonsis' weasel words about "letting
members opting out" does nothing to make me think otherwise), all that
means is there are two assholes there instead of one. It doesn't give
him any moral high ground.

But at least there's the proposal for a "federal antispam SWAT team".
I'd pay good money to see a live video stream of that take-down.

>But at least there's the proposal for a "federal antispam SWAT team". I'd pay good money to see a live video stream of that take-down.

I hate to say it, but I hope the SWAT team proposal fails. How will the Federal SWAT team know who to raid? If they can trace a spammer they can trace activists, dissidents, anybody who might be a terrorist, they can trace anybody. Sure they can do it now to a large degree, but if there's a Federal SWAT team they'll need access to some sort of system right? Something like the Terrorist Information Awareness network or Carnivore but geared specifically towards email and only email. The SWAT team has to be efficient right? Mistakes would make them look real bad.

The worst thing spammers will do is cause even more loss of privacy, loss of open mail relays, and an increase of government monitoring of email.

I'm not entirely sure but I think for now I'd rather wear out my delete key a bit more and wait for better technical solutions. The legal solutions are just much too likely to be worse than the problem.

One of the reasons why sending advertisements over the Fax is now illegal (without prior authorization, etc, etc, etc) is because it costs *me* money to recieve *your* ad.

In the case of bulk snail mail, 100% of the costs (if you don't include me physically picking up the mail, looking at it, and tearing the latest "Want a 0% interest credit card that jumps to 30% later?" envelope as cost) is payed by the sender.

In the case of a fax, *I* pay the paper, toner, etc. So even at $0.01 per ad, if it wasn't stopped I could wind up paying hundreds/thousands a year for the honor of recieving ads.

In the case of spam email, I believe that the same conditions apply. While I might not pay directly $0.01 per "spam email sent", I am paying by having my web space taken up (for those with ISP's that limit their mail boxes to 5 - 10 MB). And if my business relies on emails, *your* spam interferes with my ability to do work, thereby costing me money.

Add in that most spammers forge their address, hijack (or at least use without permission "open relays" (who should be closed anyway, yes, I'm looking at you, China, Korea, and any other country who's causing this problem)) other people's mail servers (thereby costing the mail server money they did not want to spend on bandwidth, storage, processor, etc).

I should hope that the Senate should make a very simple anti-spam plan:

If you send an unwanted email as an advertisement, you must have a method of truly getting someone off of the list.

If you sell the email addresses of your clients, you should be required to state to whom they have been sold so you can opt out *before* you get spam mail.

There should be a "national opt-out" spam list that all spam senders must check before sending a message.

Violating these agreements, or sending another message after the user has "opted out" is punishable by a $1000 fine per email sent.

There should be a "national opt-out" spam list that all spam senders must check before sending a message.

If such a list existed, you can bet your bottom dollar that every spammer will pay very close attention to it. It would be a list of 100% valid email addresses! Normally they would have to pay for lists of email addresses, and here is one that is free and guaranteed to be accurate.

The spammer could then fire up the spambox which is conveniently located outside of the US, bounce the spam off of an open relay in the Far East, and
it would be business as usual.

If anyone out there believes that the spammers are honest and trustworthy, they deserve all the viagra, penis/breast enlargement/pr0n spam they get in their inbox...

This national database could store irreversible hashes of the addresses. This way it would not be possible to extract addresses from the database, while it would still be possible to check whether some address is present in it.

Still a problem. You can verify your list of emails, or write a brute force program that will keep track of all emails that are verified by the address. a@aol.com aa@aol.com ab@aol.com and see which ones are in the directory.

These verified email addys would then be sold from spammer to spammer and eventually most of the database will be cracked and valid email addresses known.

It just won't work until there is an enforcable penalty and since most get routed outside the US, a nospam list will never be a solution (unless ratified by the world, heh).

Better to scrap the current email protocols and develop a new one that enforces accountability. Don't ask me how this'll work, but I think it the best solution out there.

If such a list existed, you can bet your bottom dollar that every spammer will pay very close attention to it. It would be a list of 100% valid email addresses! Normally they would have to pay for lists of email addresses, and here is one that is free and guaranteed to be accurate.

In order for unsolicited *commercial* email (read: spam) to be effective, there *must* be a product/service to purchase and a method to contact the seller.

Yell at/Fine the seller. They will know which campaign did the spamming. Then fine the spammer.

In order for the spammer (or the company the spammer is spamming for) to get my money, they have to provide a way for me to contact them. It doesn't matter if they use open relays on Mars, they still, ultimately, have to provide a method for me to contact them.

That means that a national opt-out list, coupled with a spambounty (or some other kill-the-spammer type legislation) *would* matter, and it would *not* be business as usual.

I agree with most of your points, but the problem with mandating spam to include an opt out link (which I think most "legit" spam does) is that there will still be people that use the remove@ messages to harvest "live" email addresses. I tell people these days to *never* reply to spam, no matter what it says, simply because chances are better that way.

Even if all "legit" spams did this, it only takes one person to start harvesting this way and the whole thing completely looses it's meaning. And when you'

I've been checking - most of the spam I get is actually from Windows boxes that don't have port 25 open (or other proxy ports). On some of them, the ones that invited me in (because they spammed me,;) ), I've been able to look around. I've found the usual spyware - Gator, KaZaa, etc. I'm not sure if any of those allow the companies to send spam from 'doze boxes, but it sure wouldn't surprise me.

Opt-out is a cop-out. Why should ANYone ever be required to opt-out of any E-mail list that they never opted into in the first place?

You, like many others (thieving parasites like Scelson included), are still overlooking one critical fact:

The Internet is not now, nor has it ever been, a truly "public" resource. Nobody in the government pays me any subsidy to operate my servers, and I don't know of any ISPs in the U.S. that are receiving any similar subsidies.

I pay, out of my own pocket, for the electricity and bandwidth that my servers require to work as they do, just as anyone from a mom-n'-pop ISP to a giant like Earthlink pays for the electricity and bandwidth to run theirs.

In each case, whether you're a single individual or a multinational conglomerate, or anywhere in between, your servers are YOUR PRIVATE PROPERTY, along with the mailboxes on them. You might rent them to others, as ISPs do, but the only guarantee that ANYone has in terms of sending and receiving mail is whatever guarantees are in the contract that gets signed between an Internet provider and their customers.

When spammers spam, they're violating private property rights. Period. When someone spams me, or one of my other users, they're STEALING from me. When someone spams AOL, they're stealing from AOL and its users. When someone spams ANYone with a 'net-connected system, it is theft of resources. Period.

I will do whatever it takes to protect my systems from such intrusions. If that means risking the loss or delay of some legitimate E-mail, so be it.

Apparently, AOL is taking a similar path. That's fine. They have absolute and final authority over their own equipment. Scelson can scream "censorship!" all he wants, but he still has no right to mail to someone else's network if they don't want to receive his (or any other spammer's) crap.

I work for a company that prints mass quantities of "direct mail." The cost factor is one of the things that keeps my conscience relatively clean: our customers pay for everything. Research, package layout, list maintenance, materials, printing, postage. And the return rate makes it all worthwhile to them. But the DM News magazines still claim "innovative" email solutions, and my company was considering getting into mass email. I doubt they will now, it's just not possible for a spammer to be REALLY successful unless they are mobile, anonymous, and willing to sidestep a few laws.

I have an interesting question though: if receiving spam cost you money because you pay for bandwidth, what about other advertising? How much do you pay for the time commercials are shown on cable channels? How much money per month is spent on electricity, during the times when the TV is being used to display advertisements in your home? How much is your time worth?

But then when you start filtering data on content, you are not an impartial conduit.You might then be taking responsiblity for the content you do let through.I think ISPs are more scared of that than spam.

ISP's should let you opt out of their default mail filtering policy, then these spammers lose a big part of the arguement.Either opt in spam filtering and opt in bulk email.orOpt out spam filtering and opt out bulk emial.

After his three children were asleep late one Saturday night last November, Jones sat down at his PC for a bit of spammer-flaming. First, he says, he visited a Web site, slashdot.org, that's a favorite among techies; he pulled down a list of about 10 alleged spammers. He programmed his personal computer to send a letter to each supposed spammer in the same way many spammers do: through so-called open relays and mail servers that forward e-mail in ways that make it hard to track down the sender. As his finishing stroke, he had his PC send the message to each spammer 10,000 times.

"We use the same methods the spammers use," says Jones, chuckling. "It's a bombardment."

Has Slashdot become a haven for anti-spammers? While I hate spam, I'm not sure that vigilante action is the right way to handle the problem. Although the article doesn't say that we endorse anti-spam vigilante actions, it makes it look like we're a hub for this sort of thing.

Has Slashdot become a haven for anti-spammers? While I hate spam, I'm not sure that vigilante action is the right way to handle the problem. Although the article doesn't say that we endorse anti-spam vigilante actions, it makes it look like we're a hub for this sort of thing.

I think, to a certain extent, it has. Consider for a moment, whenever we have a story about a specific spammer, how far down the discussion do you really need to scroll to find all of that spammer's personal information? I haven't seen it in this discussion yet, but I am sure that this Ronald Scelson guy's info is somewhere in this discussion. Add to that the number of people that will be saying things like, "this guy should be taken out and shot", and you have a hotbed for vigilante type attacks on spammers.
Though, mind you, while I would never do anything like that myself (actually, I might, but I am not a programmer and so don't have the skills necessary), I can't help but get a warm fuzzy feeling everytime one of these useless wastes of carbon get hacked and screwed. So, yes, its probably not legal, and it may be morally dubious, but to all the people that make this guys life hell, good work.

As a Senate committee sought answers yesterday on how to curb the overwhelming surge of junk e-mail, one of the nation's most notorious spammers told members just how hard their job would be.

Ronald Scelson, an eighth-grade dropout and self-taught computer programmer from Louisiana, riveted the Commerce Committee hearing room as he explained that he sends between 120 million and 180 million e-mails every 12 hours.

He boasted that in 24 hours he could crack sophisticated software filters designed to block spam.

And he accused Internet providers of hypocrisy in claiming to want to protect their customers from unsolicited messages.

Large Internet companies spam their own members, he said, while other network access providers have signed contracts allowing known spammers to send out mass e-mail.

"I'm probably the most hated person in this room," said an unapologetic Scelson, responding to a parade of technology, government and marketing officials who decried the purveyors of junk e-mail.

Scelson and eight other witnesses testified as Congress grapples with what Sen. Conrad Burns (R-Mont.) called a tide of "digital dreck" that threatens e-mail communication, one of the most powerful tools of the Internet age.

With spam now costing U.S. businesses upwards of $10 billion a year, Sen. Ron Wyden (D-Ore.), who is co-sponsoring an anti-spam bill with Burns, said it was time for Congress to stop dawdling and pass federal legislation.

All of the witnesses agreed that spam is a complex problem that defies an easy fix. But as executives from leading software companies and online providers fidgeted uncomfortably, the man known to anti-spam tracking groups as the "Cajun Spammer" described how he easily acquires millions of e-mail addresses from publicly available member directories at America Online and other providers.

Moreover, he said, "the same people complaining about spam send e-mail" with solicitations for their own products and services. "AOL spams its members," he said.

This prompted the committee chairman, Sen. John McCain (R-Ariz.), to turn to Ted Leonsis, vice president of AOL.

"Mr. Leonsis, are you a spammer?" McCain asked.

Leonsis, who had testified minutes earlier about how AOL was blocking 2.4 billion pieces of spam per day, did not answer directly.

"We let members opt out" of commercial messages sent by the company and affiliates, he said. And he accused Scelson of violating the company's "terms of use" agreement by using AOL's membership directory as a source for e-mail addresses. Scelson readily agreed.

Scelson also testified about how some Internet access providers signed little-known agreements, called "pink contracts," with known spammers to allow them to send mail in bulk, at prices higher than other commercial clients were charged.

Although the contracts mandated that bulk e-mailers abide by all state laws, Scelson said it did not matter if the e-mailers followed the rules. Most of the providers rip up the contracts and kick spammers off their systems after being threatened by anti-spam organizations that track mass e-mailers and put them on blacklists.

As a result, Scelson said, he has had no choice but to resort to forging the sender information in his bulk e-mail so he can be anonymous and maintain his connection to the Internet.

"This is censorship," he said, arguing that both anti-spam vigilantes and Internet providers that filter out spam are depriving people of their right to see their mail.

"People still buy this stuff," he said, claiming that his clients get a response rate to his e-mail of 1 to 2 percent.

Scelson, who said he does not distribute mail containing pornography, said one of his biggest clients sells a package of anti-virus computer software called Norton SystemWorks at cut-rate prices.

> "I'm probably the most hated person in this room," said an unapologetic Scelson,

and several dimensions away, Satan scraped the icicles from his beard and once more begged God to turn the heat back up. "Okay, so a spammer told the truth, but it only happened once, and it was an accident, it's not my fault, can I please have some frickin' heat down here already?!?!"

This sort of confirms that most spam is sent by a small group. Take this sucker out, and a massive amount of spam drops off the planet. Do it with enough prejudice, just to make sure nobody takes over the vacancy.

Because most of the actual monetary cost of sending the spam has already been incurred by the time you filter at the client. The message has already been transmitted from client to server to server to server to client over the internet, consuming bandwidth. It has already occupied disk space. Even the end-of-the-server-chain, pre-client filters like SpamAssassin only alleviate the last link in that bandwidth-bonanza (to-client).

That spam email should never be sent, period. It should not ever proceed across the internet whose bandwidth is being paid for by millions of users, providing benefit to the sender. It should never touch the hard disk of a server.

In addition, it simply takes too much sophistication for the VAST majority of email users to properly set up filters. A simple [ADV*] -> Trash filter would delete some email that quite honestly some users want -- special coupons from Amazon.com for repeat customers, for example. Those emails would by (proposed) law have to have the [ADV] tag on them. So then you add another filter above the Trash filter to allow ADV from Amazon through... and so on, and so forth.

Pretty soon the hassle of organising your filters has exceeded the hassle of having to just click 'delete' to spam (for the average email user). I can easily enter a new expression in my.procmailrc to deal with all kinds of situations, but Joe Schmoe email user shouldn't have to learn complex regular expressions.

Are you going to snailmail him on your dime? Otherwise, you're stealing from magazines, companies with catalogs, etc. Oh sure, it's just pennies here and there, but that's the same logic the spammer uses.

But okay, the reports of Al Ral getting buried in mail did make me smile.:^)

Ok, another spammer, joy, so when are we going to start getting lists of those who HIRE these urchins? I frankly would love to start re-routing all the spam that comes to me BACK to the idiots who hire spammers. Oh, and how about some postal addresses on these spam-buying scumbags too, eh?

From what I've seen, the products offered through spam come from the finest snake-oil salesmen that the world has to offer. Pretty much all an outrageous rip-off, if not an outright con. These businesses could probably be persecuted for other violations without even legislating spam, if some law enforcement types went over them with a fine-tooth comb.....

AOL has the luxury of being both part of the problem (huge customer list) and part of the solution (spam fighting tools). They sell both.

To the user they offer 'advanced' spam fighting tools. The users see the problem as external to AOL (EVERYONE gets spam after all), and continue to use AOL because they offer at least some kind of protection. This creates, in the users mind, value.

It is not in AOL's best interest for Spam to simply go away. Much like telemarketing is in the best interests of the phone companies (they CREATE the problem by selling phone numbers, and also sell the tools to fight the callers). AOL merely wants to propogate the perception that they are on 'our' side of the spam battle.

My false negative rate using Mozilla Bayesian filtering is way less than 1%, and the false positive rate since training is non-existant. Of course I do go back about once a month and re-train it with both positive and negative datasets but if you don't do good training how can you expect good results, it's almost like training a pet.

Scelson tries to make the argument that what he does is no different than other advertisers who send their adverisements through the US mail.

Unfortunately he, like all other spammers, completely misses the point that the two are not related. When LL Bean sends its catalog to you it costs the company X cents to do so per each catalog.

When Scelson sends out his 180 emails a day it costs him X cents in total. However, it costs all the ISPs whose bandwidth he and others chew up X dollars per email. Thus, he is offloading the cost of doing business to the people who are receiving the email.

This reminds me of the old postal system in the UK. In days gone by it was the receiver who had to pay to accept the piece of mail. If they didn't pay the mail was returned. It is only in recent history that the mail system is such that sender pays.

I wonder if Mr Scelson would be happy if all the advertisers who send him their mailings would tell him he has to pay to get those things whether he wants them or not.

Postage stamps were first introduced in Britain, in 1840. As you say, before then it was the recipient who paid for the mail, not the sender.

Now in those days that was sensible, since there was no mail system as such anyway. Cash on delivery was the only way you could be fairly sure that the messenger would actually deliver your letter -- since if he didn't, he wouldn't get paid.

Problem was, people cheated the system. Early hackers, shall we call them, figured out that they didn't need to have their letters actually delivered & paid for to communicate. For instance, if someone wanted the answer to a simple yes-no question (remember, all long-distance communication was by letter then, so this happened a lot), they could set up a code for the response to be communicated by the colour of the envelope. So: messenger arrives with a letter -- but the recipient, having seen the colour of the envelope, says he doesn't want it and refuses to pay.

Solution: set up a national postal system that people trust, so they're willing to prepay for delivery.

Of course, 150 years later and US phone companies make the same mistake with cellphones. Charge people to receive calls + caller id -> don't answer, just call back on a land line.

Why do I have this knot in my stomach as Congress prepares legislation to stop spam? Remember when they 'deregulated' the cable industry and all our rates went up? I know it is possible to go from bad to worse, but what is after that?

Scelson, who said he does not distribute mail containing pornography, said one of his biggest clients sells a package of anti-virus computer software called Norton SystemWorks at cut-rate prices.
Officials at Symantec Inc., which makes the Norton software, said in an interview that although they have not seen the package Scelson's client is selling, other similar offers that they have tracked down have proved to be counterfeit.

I get 1-2 Norton SystemWorks spams a day. If they're from this fucker, let's hope the Symantec people are able to find out where he lives, and sue him into oblivion.

One thing to keep in mind when talking with spammers is that they always lie. They lie to themselves ("everything I do is legal", "I am forced to hijack open proxies") and they lie to everyone else ("Here's the information you requested").

The career spammers are, indeed, bold enough to even lie to the US Government, face-to-face. Too bad the US Government is usually totally cluefree when it comes to the spam problem, so these conmen get away with lieing to senators.

Proletariat of the world, unite to kill spammers. Remember to shoot knees first, so that they can't run away while you slowly torture them to death

Now I KNOW the/. crowd is a haven for anti-spam vigilantes. You spout total anti-spam crap and get modded up for it like mad. Your making statements as if they are defined fact and there are no two ways about it. You show you know very little about spam, or even AOL for that matter.

Let's start with AOL. You say there is no way AOL sells their info. Well, I know 3 local businesses here who bought AOL member addresses from AOL, buying only the sections of our local town even. AOL will not only sell you their members, they will offer targeted selections.
Now, I doubt AOL puts this on their site next to their member sign-up, but from what I have seen, they sure do sell your addresses. In fact, I'll bet you did not know AOL tracks where their users go on the web for marketing purposes. Yup, if you visit a mortgage site, they immediately sell your info to their list of mortgage lead buyers. By morning, you will have several offers for mortgages in your inbox. And this happens for all kinds of businesses. I mean, they control your email and your net connection, why not market accordingly. I'm sure a few of you AOL users have experienced this before, or perhaps could try it?

Now, as far as all spammers being liars, I see you are just one of the anti-spam flock, spouting propaganda. It's disappointing no one on/. actually reads the articles, or can remembers ones from a few weeks ago. You might remember a bit on Spamhaus showing the top 200 spammers causing 90% of the spam. Well, I know 2 of those people. I know one because they live 3 towns over from me, running a small PC shop in Halifax, MA. If you email me, I'll send you their business address, directions, even their home info.:) The other one I met because of them. I can tell you they are unscrupulous, a bit dumb, and have no troubles telling lies. The ones I know are total dicks. The issue is the remaining 90% of small time spammers, some of whom who are actually ok guys.
Granted, they should be paying for their use of email, yata-yata. Case in point, the 3 shop owners I know locally who bought those bits of AOL's lists. They offer honest products, they try and target locally, so they don't send people who can't possibly use their service an ad, and they honor remove requests. They even offer their shop info in the email so they can be contacted directly. The system could be better, but at least they try. They do not fit your bill of the evil spammer. Some really are pretty bad. Some are not. Your sweeping statements of ignorance and promises of murder at the end are totally unwarranted.

I will be sure to remember to offer to murder you next time I disagree with the way you do business. How you got modded +5 for this steaming pile of flaimbait is beyond me, but I'll certainly burn some karma to put out an opposing statement. I guess that is what public forums are all about.::drinks a little more distilled Usenet post evil:: Cheers.

An officer of a company should not make a statement without ensuring it is correct. Or taking reasonable means to ensure it is correct.When a specific claim is made, like this there are a few options.1. No statement at this time, or no comment.2. Suggest that this didn't happen. This is against our standard policies.3. Investigate the statement, and then comment on it's accuracy.4. Say we did no such thing, without checking. This is reckless, and a responsible person should not do so.

I know it sounds weaselish, but you MUST not make a statement when you do not have the information to justify it. You can get in a lot of trouble for lying.

AOL sold the member list, and Leonsis denies: Leonsis is risking perjury and contempt of Congress charges (both of which are jailable offenses)

AOL did not sell the member list, and Leonsis affirms: perjury and PR disaster

AOL did not sell the member list, and Leonsis denies: status quo ante

Leonsis neither affirms nor denies: status quo ante

There's no reason Leonsis would know every dealing that AOL does (especially those before he rose to this level); if he affirms, he's fucked. If he denies, the best he can hope for is status quo ante if he's right; if he's wrong, he's fucked. So if he answers, 4 things can happen, and 3 of them are bad.

I think I have it. If we get the spammer's postal address, and the postal address of those who hired him, maybe we should just print out all the spam we get and sent it to the one who hired him postage due.:)

As an added bonus use the spammer's postal address as the return address.

In the few days I have been using TMDA [tmda.net], I have been exceedingly satisfied. It is a much better solution than SpamAssasin. You should try to whitelist most of the people you expect to receive email from ahead of time, but I haven't had any complaints from people having to respond to a message bounced back to them for authentication.

That, in combination with qmail's revokable dash-addresses (howard-amazon@cow.com, howard-slashdot@cow.com, etc.) make it an excellent solution not just for avoiding spam, but for tracking its sources as well.

If he's sending 240 million emails a day and getting 1-2 percent return, even if he only make a few dollars off each sale that's a profit in the order of billions a year. Do you get the feeling he's lying to the senate?

If he's sending 240 million emails a day and getting 1-2 percent return, even if he only make a few dollars off each sale that's a profit in the order of billions a year. Do you get the feeling he's lying to the senate?

No. "Response" and "sale" are clearly two different things. Of the 1-2% responses, probably less than 1% of those (i.e.,

"People still buy this stuff," he said, claiming that his clients get a response rate to his e-mail of 1 to 2 percent.

Let's say 10 million emails per hour (lowest), 1% response rate (lowest), that's 100,000 responses per hour! That means that over the course of a year, we are talking about 876 million responses. Divide that by the 165.75 million internet users in the US, and we learn that each and every one of you respond to him 5 times per year!

Well, maybe he spams the entire world. I have no idea how many internet users there are in the world, but let's say it is something like one billion. That means everyone responds to him almost yearly! Amazing! Now I only have one question: those responses, are they sales or deaththreats?

I think Scelson greatly overstated his response rate. I've seen web pages offering spamming-for-hire services, and the response rates they claimed were generally in the range of 50 to 100 responses per 100,000 sent.

Also, I never saw any statements about the kinds of responses. I'm inclined to think the spammers-for-hire count all kinds of responses (including the death threats) to make their numbers look better.

1% response rate is extremely unlikely. Normal direct (snail) mail tend to get response rates of 1-2%. Double opt in (where a verification message have been sent, and the user have responded to it to confirm they want to sign up) e-mail campaigns can easily get as low as 1 in 10.000 or 1 in 100.000 if the list is unqualified and not in the right target group. Spam would likely be much worse than that. So he's probably lying through his teeth.

Of course, as you suggest, he could be counting death threats as responses as well:-)

Still, with todays bandwidth prices, and an estimate of 10kb per e-mail, if he's sending 10 million messages an hour, he'd be sending around 100GB an hour at around $50 an hour (likely less, given the volumes and since it's mail traffic where he doesn't need to pay a premium for low latency connectivity). A product with a reasonable markup and he might be able to recoup the cost of those 10 million messages with a single sale, possibly even making a nice profit.

And that's why asking people not to buy from spammers won't be enough to get them out of business.

He doesn't need to recoup anything; he can just get his client to pay up front, regardless of the actual response rate.

I personally think it's not only the spammers which need hefty fines; it's the people hiring them. I don't think jail time for fraud and many counts of unauthorised computer use (and paying someone to do these things for you) is a bad idea either.

Never mind crap like "spammer gets $100,000 fine, sells one of his ferrari's to pay for it"; I want to see "spammer gets $100,000 fine, 3 year jail term, and all assets potentially paid by or related to spamming confiscated. Companies responsible get $1,000,000 + 1 year profit fine each".

Then I want to see Bush announce a War on Spam; out of the country? No fines for you, we'll just blow you up with a Predator Drone.

Sadly I doubt much less than this would have a significant impact on the problem. And blowing people up might be taking things a little far;)

Yes - many people use analogies to make their point on Slashdot - so here's mine.

People need to guard their email addresses in the same way they practice safe sex. Don't go sticking your email address just any old place...

Ok, that was bad. The exceptions are cases where your ISP screws you and sells your name (like those sorry AOL customers had happen to them) or people who use brute force address guessing algorithms.

Although I think the legislation being considered is a good first step --

The Burns-Wyden bill would make it illegal for bulk mailers to forge their sending location, have deceptive subject lines or prevent users from removing their names from e-mail lists. Owners of networks would retain the ability to block mail, and the legislation gives Internet providers legal standing to hunt down and sue spammers.

The committee also heard from Sen. Charles E. Schumer (D-N.Y.), who advocates a nationwide do-not-spam registry similar to a newly created do-not-call telemarketing list, plus an international treaty on spam.

Nothing really beats good filtering. I put together a server side filtering process using a Mail::Audit. I support several end users who can administrate their mail rules (e.g. block if subject has "viagra" or if sender is spamboy@jizzmop.com, etc.) using a web based interface and MySQL back-end. People can share rules as well. It's working pretty well for everyone. Additionally, Mail::Audit allows you to tap into the RBL which essentially will give you an "unlisted number" - only those you have expilicity granted permission to recieve from can reach you. Sounds extreme, but I get ZERO spam.

... is here. [spamhaus.org] He must not be doing all that well if he can't scrape together the dough to get his fat ass out of Slidell, Louisiana, a town I had the misfortune of driving through a year ago and whose only redeeming feature is the Lake Ponchartrain bridge/causeway leading out of it and to New Orleans.

Here's a proposal, as it seems like the world is moving closer to 'whitelist' (reject by default) method of spam combatantcy. Perhaps there should be a global whitelist set up, where a user signs up, and must verify their mail address, then the mail address is MD5 hashed and stored in a database. Recipients recieve an email from this sender they simply hash the from address and check to see if the hash exists in the database. If it's present the mail is accepted, if not, rejected. Solves the problem of invalid from addresses always used in spam, as well as solving the problem of preventing data-mining of such a 'whitelist' database by spammers (as it contains only checksums).. And it solves the problem of being able to recieve messages from people you haven't personally explicitly whitelisted; ie. old friends from highschool, aquantances with new email addresses, etc..

Why isn't this the same crime as handing someone an ID card which says you are someone you are not?

While I hate spam as much as the next guy, this is not the same thing. Spam with modified headers is like somebody calling you up and saying their in Oregon when they're really in Nevada. That's not illegal, nor should it be.

Your analog is more like forging (or stealing) secret PGP keys.

BTW, I've always thought it funny that/. folks are so against spam, yet they're all for anonymity on the net. We

he has no choice but to resort to forging the sender information in his bulk e-mail so he can be anonymous and maintain his connection to the Internet.

Is that like bank robbers being forced to don a mask so they can remain anonymous and maintain their 'business operations'?

I've had one of my email addresses used as a reply to: for quite a few spams. A real PITA. Not only did that address get the standard spam, it get bounces from nonexistent recipients. Sometimes in the hundreds per day, as the result of dictionary attacks on various ISP's. On top of that, you get the indignant replies from pissed off people.

We should designate some day in the near future as "Everybody is a Spammer" day. On that day, everyone will send as much spam as possible to every email address they have. Since 8th graders are capable of spamming effectively I would guess that a significant percentage of the population is as well.

What would the result of this be? Email would be totally unusable that day and perhaps for many days afterwards. Not only would it get government officials to take notice, it would cause even the spammers to see the evil of spam. Those that are capable of seeing it anyhow, most of them are probably blind to it.

Scelson said he supports anti-spam legislation. But while committee members were clearly intrigued by his story, they gave little weight to his proposed solution: Pass a tough spam law, but then prevent any Internet provider from blocking e-mail from bulk marketers that abide by the law.

The Burns-Wyden bill would make it illegal for bulk mailers to forge their sending location, have deceptive subject lines or prevent users from removing their names from e-mail lists. Owners of networks would retain the ability to block mail, and the legislation gives Internet providers legal standing to hunt down and sue spammers.

(emphasis mine) I think it's a brilliant suggestion. If the Burns-Wyden bill is passed, then I can easily filter my mail to stop spam I don't want to see. I don't think that my ISPs should be blocking email that may be spam but follows these rules. The filters in Eudora and Outlook Express are powerful enough to stop all spam I am not interested in receiving if I know for a fact that the forged header problem vanishes. I think it's a great compromise.

I guess that explains statements like the following, that display his keen insight into our system of government:

"But carriers should be held accountable when they submit to anti-spam groups. Terminating services to companies' such as my own without any legal reason to do so is not the democracy that we should all be living."

Jackass, if you're reading:

1) This is not a democracy. We're a democratic republic. There's a big difference.

2) Forcing someone else to provide you a service is neither freedom, nor related to a democracy. In fact, that would be contrary to freedom.

3) Claiming you're FORCED to forge email addresses because of "bullying tactics" is akin to claiming you were forced to break into my house and dump junk mail on my desk because I refused delivery.

Apparently you think America is all about you, and that you somehow have a level of freedom that compels others to act according to your wishes.

I've grown used to logging on in the morning, deleting 20-50 spams that made it through my ISP's filter, then reading the 1-10 valid messages.

Until a few days ago...

Then I started getting bounced messages showing up in the inbox. First a dozen or so, and now 300+ per day. Some unscrupulous bastard put my e-mail address as the return address on those damned "Penis enlargement" spams and sent out a coupla hundred thousand. All have a different name ("Buffy", "Steve", "Frank", etc.), but all with my e-mail address.

I've had that address for nearly 10 years, which is the reason I put up with spam on it, but now I'm going to have to kill it all because some moron (the messages originated in China according the to headers) picked my name at random to hide behind.

I have been looking at the source of my spam lately, and, although the email addresses are always forged, the body of the messages nearly always point to some website.

What we should do is have a way to automatize the slashdotting of these sites. The resource cost for every recepient is very small, but is very high for the target web site. If the site is run directly by the spammer, then that's great (he get's to pay the bandwidth bill). If it is run by the spammer's client, then that's even better. If it is hosted on a free non-commercial facility, it will wake them up and will make them find a way to make their users accountable.

So how to do this in a very user-friendly and convenient way ?
Make a distributed-computing application, very light-weight, that runs on every platform. You should be able to set the maximum bandwidth you want to use (the default could be very low, like 5kbps), when it should start and stop, etc.The app will go and fetch a list of URLs of images or HTML pages on the target servers, and start downloading them to/dev/null. The app should have a funny user interface, that let's you know when a target host becomes unavailable (victory ! another one bites the dust !), etc. The downloadable list of target hosts should be maintained by a trusted source (it could be GPG signed for example), maybe mailed to you though a MixMaster remailer to avoid spammer suing the originator.

After dozens of attempts to get AOL to implement the most rudimentary outgoing filters on their Email system, and getting ZERO response, I have regretfully informed our user base that we will no longer accept any Email emanating from any machine with an AOL.COM IP address.

They are breaking the rules of the Internet (see: SMTP RFC [isi.edu]s) by improperly implementing postmaster@aol.com (see rfc-ignorant.org [rfc-ignorant.org]for details) and their mail relays have sent hundreds of viruses into my domain.

I have asked all AOL users at my site who wish to continue emailing their home addresses from work to get a new service provider and given them two months to do so. I have recommended several small local ISPs to them that I know provide good service and never allow easily detected virii like Yaha, Klez and SoBig to transit their mail hubs.

We, fellow slashdotters, can use our enormous power as administrators of email hubs to get AOL's attention - since it seems more civilized methods are useless. The social contract of the Internet is simple; play by the rules (i.e. implement the required RFCs) or you are not part of the community.

...and that he has no choice but to resort to forging the sender information in his bulk e-mail so he can be anonymous and maintain his connection to the Internet.

Software like TMDA [tmda.net] prevents spam by sending a response and requiring it to be replied to, kind of like this [slashdot.org], mentioned earlier this week. How about implementing something similar to this, except at an earlier stage in accepting mail?

Just like we have MX records, we could add another type of DNS record (or use a TXT record) that lists the IPs of every SMTP server that is allowed to send mail for a domain. When your mail server receives

MAIL FROM:<imaskankyspammer@hotmail.com>

it does a DNS query for that TXT record for hotmail.com, and compares the IP that is sending the mail to the list of IPs received from hotmail's DNS server. If it's on the list or if there is no list (the domain hasn't added the TXT records), the message can continue to be sent. If it's not on the list, or if the domain doesn't exist, the message bounces instantly. There could also be a list of whitelisted IPs that can send mail from any domain (for your secondary MX).

Comments? It's trivial to add the TXT records, and the modifications to the SMTP server are fairly simple. The only drawback I can think of is that it wouldn't block much spam until a big provider like hotmail or yahoo adopts it, however they have the most motivation for doing this since it would prevent spammers from using their email addresses as envelope senders, and it would force users to use their web interfaces to send mail.

Do you honestly think Congress gives a good goddamn about spam? Congressman don't have to deal with this shit; their lackeys do.

This issue isn't about killing spam - it's about using spam as an 'issue' to kill anonymity online. It's yet another attempt by the government to throttle what remains of our privacy, and spam is a very convenient complaint to base this sort of legislation on.

Thanks but no thanks. I'll take the spam in exchange for privacy. My privacy is far more important than any government attempt to curb unwanted email, especially when it's just a ruse to eliminate what few rights I have left.

I tend to try to turn problems around and see if there's not a fun backwards approach. (Like instead of trying to stop a bulldozer you find a way to lure it into a swamp.) It doesn't always work and often ends up with people pointing at me and laughing. So be it.

In the case of spamming I've started to wonder about open relay blocking. Most sites that offer information about open relays to facilitate blocking (such as ordb.org) do not make the contents of their open relay lists public. And that made perfect sense to me until yesterday when (while looking into several spam filtering methods) I got curious and started looking for a list of open relays. I found at least one such - but it was clearly aimed at the spammers as it had incomplete information and a way to purchase a subscription.

So, by making open relay lists private and secret, we're actually supporting the spam industry (not necessarily the spammers directly, but the folks who sell them stuff).

Maybe its time to think about releasing the lists.
This could have several interesting effects (positive:) , neutral:| and negative:( ) :

:| The organizations who collect open relay lists would continue to function as they do now, but sites that would like to use the lists heavily could download their own copies.

:) The folks who sell open relay lists would find it harder to do that if the information were freely available. With a bit of luck they'd go out of business.

:) it would become much harder for site admins to ignore open relays they control if everyone used them and the traffic went way up. This would be an incentive to close them. (Of course, it would be unethical to suggest that anyone else route their mail through the relays - that would amount to a denial of service.)

:) As the relays got closed, the traffic on those left open would increase dramatically - thus increasing the pressure on those site admins.

:) Knowing that a site has open relays might prompt users, friends of the site admins and so on to bug them into closing them. Currently it would require rather more work on the part of such buggers to determine that the buggee needing bugging.

:) Eventually, with a bit of luck, the great majority of the open relays would be closed and spammers would end up using very slow machines. Indeed, it might become profitable for major sites to run a couple of open relays on (for example) an old 80286 on a 1200 baud serial line).

:) Eventually, faced with a small pool of (slow?!) open relays, spammers would turn to spam support sites that could send the mail for them. And I'd be willing to bet that such sites would charge nicely for the service. And there's still nothing to prevent a user from blocking those sites.

:( There would be a serious (but I suspect temporary) increase in spam. Current spam filters would not stop working.

:( There would be problems with people forging open relay lists with machines of people they might want to annoy. (This could be handled by digitally signing such lists from trusted sites.)

:) It would keep the congresscritters from meddling in things they dont understand - with what is almost certain to be disasterous effect.

Maybe it wouldn't work, but the stuff written about the spam proposal before congress is seriously scary - it would essentially legitimize whole classes of spam and make it much harder to turn off such "legitimate" spam.

In my wonderfull country (!= US). We have a systenm where you can put an official sticker (free at townhall). on your mailbox that you don't want Junk Mail, and you don't get any (mistakes excepted, but hey once a year or so). The same stickers also allow you to differentiate between "Junk mail" and "local advertisements papers" (Which can be handy if you want to know what's going on in your local community).
If a similair system could be implemented for email (I doubt that, at least any time soon). then I

If you want to get your slogan and company name out there fast, it makes sense to use the Internet and email systems.

If you want to attract and retain a loyal customer base, it absolutely doesn't make sense to use spam or other annoying methods of advertising on the Internet.

As an example: I work for a company that owns one of the major online travel sites. A few weeks ago, we had an all-company conference call, and one of the members in my group pointed out that another online travel site had recently stepped up its advertising via popup ads on web sites. He asked why we weren't annoying the consumer with popup ads. The leader of the call replied, "I think you just answered your own question." He explained that while popup ads may be effective, they don't make any friends among consumers and they don't build loyalty.

If popup ads have such a negative impression, don't you think unsolicited commercial E-mail has a much more negative impression on the Internet population? Here's a hint: The spammers who sell Viagra (r), Viagra substitutes, penis extension pills, mortgages, and other spamvertised products almost never reveal their real business name. They hide behind throwaway e-mail addresses and make themselves untraceable to their audience.

Would a business concerned with consumer loyalty really have to hide themselves? My local grocery store doesn't have to hide from me. Neither does Target, Borders, Best Buy, or any number of bricks-and-mortar retailers. Amazon.com doesn't have to hide from me, nor do any of the online travel sites. Yet the spammers pushing penis pills don't dare reveal who they are, where they work, how I can contact them, or anything traceable.

I would rather trust a spammer than a lazy computer programmer to get a job done, that's for sure. It's not about being nice, it's about being a hard worker. Stupid isn't forever, but lazy is.

I think you're trolling here, but in case you aren't: That "hard work" relies on hijacking other people's resources. It relies on deception and lies to push a product to people.

Sadly, fraudulently representing yourself is protected speech under the First Amendment to the Constituion. The Nike case in California [bookweb.org] is the biggest test to this in a really long time.

I don't think things would be so different if corporations didn't have that right -- the actors, script writers, spammers, etc. working for corporations would still have the right to tell you lies, as individuals.

(OT TIME) What pisses me off is when the *cops* are allowed to misrepresent the truth. Like alleged sniper guy John Malvo not getting a lawyer because he asked "Do I get to see a lawyer?" and the cops said "No." Then he started singing like a bird. The judge ruled the testimony should be allowed, since Malvo didn't explicitly ASK for a lawyer -- he didn't say "Can I see a lawyer?" But it's clear from his question that his intent was to see a lawyer, and it's also quite clear that the cops knew they could play word games with him, because everyone wants this kid to fry so jurisprudence goes out the window. Hmmm I guess it does piss me off that the cops lie, but it pisses me off even more that it now has a big fat stamp of approval, at least in Virginia. What a crock -- what if someone who doesn't speak English well (Malvo perhaps) is detained and can't formulate the specific grammatically correct sentence to request a lawyer? Oh, wait, that person is probably a terrorist [nynews.com] or illegal immigrant, nevermind.

So, I guess the overall arc of this post would be: don't come bitching about how horrible all these spammers are, they lie, hide behind secrecy etc. when that sort of behavior is exactly the same thing our legal system is doing with Malvo, and don't get me started on Ashcroft's tactics.

And, what's the fucking problem with spam in the first place. C'mon people, I have had the same HOTMAIL account for like five years, and for a LONG time my email was listed with each post on SlashDot. I still don't get that much spam, maybe five a day, and I'm not so freaking busy that I don't have the FIVE SECONDS it takes to delete them. What's that, you say? You run a mail server and the spam has got you down? Well, that's why your job is to run that mail server. If it were easy, they wouldn't have to go out and hire a specialist.